DUKPT-AES

AES-based DUKPT with BDK or Initial Key input. Derives all 8 working key types with Request/Response/Both Ways key variants. Supports PIN encryption, AES-CMAC, and data encryption with HEX/ASCII input. Supports AES-128, AES-192, and AES-256.

Inputs

• Key Type: BDK (Base Derivation Key) or Initial Key. Use Initial Key if you already have it from a terminal dump or HSM log.
• BDK / Initial Key: The key in hexadecimal. Length determines AES variant: 32 hex (AES-128), 48 hex (AES-192), 64 hex (AES-256).
• KSN: Key Serial Number (12 bytes / 24 hex chars for AES DUKPT). Contains device ID and transaction counter.
• PIN Block: PIN block in hexadecimal (16 bytes / 32 hex chars for AES).
• Data: Hex or ASCII data for MAC calculation or data encryption/decryption.
• Key Usage (MAC): Request, Response, or Both Ways — selects which MAC key variant to use.
• Key Usage (Data): Encrypt, Decrypt, or Both Ways — selects which Data key variant to use.
• Mode: ECB or CBC — block cipher mode for the Data tab.
• IV: Initialization Vector (16 bytes / 32 hex chars) — required for CBC mode.

Tips

• AES DUKPT uses a 12-byte KSN (vs 10-byte for 3DES DUKPT).
• Use BDK when you have the base key. Use Initial Key when you have it from a terminal directly.
• After deriving keys in the first tab, the Initial Key auto-fills when switching to operation tabs.
• PIN tab: encrypts/decrypts a 16-byte PIN block using the derived PIN key with AES ECB.
• MAC tab: calculates AES-CMAC with Request, Response, or Both Ways key variant.
• Data tab: AES DUKPT has separate Encrypt/Decrypt/Both Ways keys — choose the appropriate variant.
• Data input supports both HEX and ASCII formats.

Standards: ANSI X9.24-3:2017

Open the DUKPT-AES tool — free, runs entirely in your browser.

Related Key Management tools